PKA key token sections

A PKA key token is either for an ECC key or an RSA key. In either case, it is the concatenation of an ordered set of sections.

PKA key tokens can be built with the PKA Key Token Build verb. Either RSA or ECC key tokens can be built.

An RSA key-token is a concatenation of these ordered sections:

  • A token header:
    • An external header (first byte X'1E')
    • An internal header (first byte X'1F')
  • An optional RSA private-key section in one of the token types shown in Table 1:
    Table 1. Optional RSA private key sections

    Optional RSA private key sections. A table with five columns.

    Private key section identifier (token type) Modulus bit length and key format RSA key not protected by an object protection key (OPK) RSA key protected by OPK that is wrapped by DES KEK or PKA MK RSA key protected by OPK that is wrapped by an AES key
    External RSA key tokens (first byte of PKA key-token header X'1E')
    X'02' (RSA-PRIV) 512 - 1024 M-E (Modulus-Exponent) Private key in the clear or wrapped by DES KEK N/A N/A
    X'05' (input only, replaced by X'08') 512 - 2048 CRT (Chinese-Remainder Theorem) Private key in the clear N/A N/A
    X'08' (RSA-CRT) 512 - 4096 CRT N/A Private key in the clear or wrapped by OPK, with OPK data wrapped by DES KEK N/A
    X'09' (RSAMEVAR) 512 - 4096 M-E Private key in the clear or wrapped by DES KEK N/A N/A
    X'30' (RSA-AESM and RSAAESM2) 512 - 4096 M-E N/A N/A Private key in the clear or wrapped by OPK, with OPK data wrapped by AES KEK
    X'31' (RSA-AESC and RSAAESC2) 512 - 4096 CRT N/A N/A Private key in the clear or wrapped by OPK, with OPK data wrapped by AES KEK
    Internal RSA key tokens (first byte of PKA key-token header X'1F')
    X'05' (input only, replaced by X'08') 512 - 2048 CRT Private key wrapped by PKA MK N/A N/A
    X'06' (old RSA-PRIV) 512 - 1024 M-E N/A Private key wrapped by OPK, with OPK data wrapped by PKA MK N/A
    X'08' (RSA-CRT) 512 - 4096 CRT N/A Private key wrapped by OPK, with OPK data wrapped by PKA MK N/A
    X'30' (RSA-AESM and RSAAESM2) 512 - 4096 M-E N/A N/A Private key in the clear or wrapped by OPK, with OPK data wrapped by APKA MK
    X'31' (RSA-AESC and RSAAESC2) 512 - 4096 CRT N/A N/A Private key in the clear or wrapped by OPK, with OPK data wrapped by APKA MK
  • a required RSA public-key section (section identifier X'04')
  • an optional PKA private-key name section (section identifier X'10')
  • for internal key-tokens with private keys in X'02' or X'05' sections, a required RSA private-key blinding section (section identifier X'FF'), otherwise not allowed
    Table 2. RSA private-key blinding information

    RSA private-key blinding information. A table with three columns.

    Offset (bytes) Length (bytes) Description
    000 001 Section identifier:
    X'FF'
    RSA private-key blinding information

    Used with internal key tokens created by the CCA Support Program, Version 1 (having section identifiers X'02' or X'05').

    001 001 Section version number (X'00').
    002 002 Section length in bytes (34+rrr+iii+xxx).
    004 020 SHA-1 hash value of the internal information subsection cleartext, offset 28 to the section end. This hash value is checked after an enciphered private key is deciphered for use.
    024 002 Length in bytes of the encrypted secure subsection.
    026 002 Reserved, binary zero.
    Start of the encrypted secure information subsection. An internal token with section identifiers X'02' or X'05' uses the asymmetric master key and the EDE3 algorithm. See Triple-DES ciphering algorithms.
    028 002 Length of the random number r, in bytes: rrr.
    030 002 Length of the random number multiplicative inverse r-1, in bytes: iii.
    032 002 Length of the padding field, in bytes xxx.
    034 rrr Random number r (used in blinding).
    034 + rrr iii Random number r-1 (used in blinding).
    034 + rrr + iii xxx X'00' padding of length xxx bytes such that the length from the start of the encrypted subsection to the end of the padding field is a multiple of 8 bytes.
    End of the encrypted secure information subsection.
  • an optional PKA public-key certificate section (section identifier X'40' with subsidiary sections).

An ECC key-token is a concatenation of these ordered sections:

  • a required PKA key-token header:
    • an external header (first byte X'1E')
    • an internal header (first byte X'1F')
    • an optional ECC private-key section in the token type shown in Table 3.
    Table 3. Optional ECC private key sections

    Optional ECC private key sections. A table with three columns.

    Private key section identifier (token type) ECC curve type: length of prime p in bits ECC key protected by OPK that is wrapped by an AES key
    External ECC key tokens (first byte of PKA key-token header X'1E')
    X'20' (ECC-PAIR)


    Brainpool:
    160, 192, 224, 256, 320, 384, or 512


    Prime:
    192, 224, 256, 384, or 521

    Private key in the clear or wrapped by OPK, with OPK and its data wrapped by AES KEK
    Internal ECC key tokens (first byte of PKA key-token header X'1F')
    X'20' (ECC-PAIR)


    Brainpool:
    160, 192, 224, 256, 320, 384, or 512


    Prime:
    192, 224, 256, 384, or 521

    Private key wrapped by OPK, with OPK and its data wrapped by APKA MK
  • a required ECC public-key section (section identifier X'21')
  • an optional PKA private-key name section (section identifier X'10')
  • an optional PKA public-key certificate section (section identifier X'40')
  • an optional ECC key-derivation information section (section identifier X'23').